Re: Are consumers being misled by "phishing"?

[mikeiscool <michaelslists () gmail com>]

On 6/29/06, n3td3v <n3td3v () gmail com> wrote:
> I believe the industry coined up "phishing" to make more money out of
> social engineering. Its obvious now that both are over lapping. Only
> the other day Gadi Evron was trying to coin up a phrase for "voice
> phishing". Why can't we cut to the chase and drop the (ph)rases and
> call it straight forward SOCIAL ENGINEERING.
>
> I believe your average single mom and retired couple will easily
> become confused if we keep throwing new catch phrase buzzwords at
> them. If we could just call it social engineering, then the world
> would be a less confusing place for the average social engineering
> vitcim.
>
> When Yahoo had "paydirect" (an online bank in partnership with HSBC,
> which was later dropped by Yahoo!) there was an exploit for obtaining
> account information you wanted from any Yahoo Account. So hundreds of
> script kids had this exploit which was released by hackers in the
> localised Yahoo security community. The technique was to get the
> account information via the web-based exploit in the Yahoo Paydirect
> service, then phone up Yahoo Customer Care and give them the account
> information, and hey ho, customer care sends you a new password.
> Around a hundred script kids were phoning customer care. I alerted
> Yahoo what was going on, but Yahoo Customer Care didn't stop accepting
> partial Yahoo account info in exchange for a new password. It was to
> be one of the biggest compromises of Yahoo accounts. Yahoo didn't fix
> the bug straight away, so it led to hundreds of accounts being
> compromised and never recovered. After this incident, and still to
> this day Yahoo Customer Care are easily socially engineered via the
> telephone if you offer them partial yahoo account information.
> (shocking)
>
> Point being, web-to-voice social engineering has been around forever,
> just a few smart guys are trying to coin a phrase, which is only going
> to confuse the mess that is "phishing". The name phishing should never
> have been coined, and I warn the industry not to add on anymore
> variants to the phishing term, which is in all means just social
> engineering.
>
> Phishing was a big mistake by the industry, now the last thing we need
> is "voice phishing" or any other (ph)rases...
> See comments section of:
> http://www.digg.com/security/Say_Hello_to_voice_phishing_2

but calling it something different allows gadi to add another item on
his list of things to complain about. we all know there are only three
security issues: bugs, design faults, and social enginering. let the
idiots have their terms, there is nothing you can do about it.

-- mic

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/